Werk #14544: Agent controller: Use host certificate store during registration

Component Agent bakery
Title Agent controller: Use host certificate store during registration
Date Jul 21, 2022
Checkmk Edition Checkmk Raw (CRE)
Checkmk Version 2.1.0p9 2.2.0b1
Level Trivial Change
Class Bug Fix
Compatibility Compatible - no manual interaction needed

In order to register at a Checkmk site, the agent controller (cmk-agent-ctl) needs to know, among others, the name of the server where the site is running and a port. The port can either be included in the server name argument (-s), or it can be left out. In case it is left out, the agent controller tries to query the port from the REST API of the target site.

In case the communication with the REST API is HTTPS-secured, the agent controller is supposed to use the certificate store of the host to verify the server certificate. This was however not the case, which in particular affected setups with server certificates signed by a custom CA (where the corresponding root certificate was correctly added to the certificate store of the host). The resulting error message read:

$ cmk-agent-ctl register ...
Failed to discover agent receiver port from Checkmk REST API, both with http and https.


Error with https:
invalid peer certificate contents: invalid peer certificate: UnknownIssuer

Note that, as mentioned above, this only happened if no explicit port was given during the agent registration.

To the list of all Werks